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ABSTRACT 



A technique for determining whether particular clients 
within a computer network are universally configured in 
accordance with the desired network security features of the 
computer network. A probe is randomly inserted within 
incoming files, e.g., at a firewall in the computer network. 
The probe is configured as a function of a particular execu- 
tion task, e.g. a known virus, such that in a properly 
configured client the probe will not execute and the firewall 
does not detect a security breach. However, if the client is 
misconfigured, i.e., not in compliance with the standard 
network security features, the probe will execute and trigger 
an alarm in the firewall indicating that the client is vulner- 
able to a security breach. Advantageously, a network secu- 
rity administrator can take appropriate action to correct 
those clients which are misconfigured. 

28 Claims, 2 Drawing Sheets 
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COMPUTER SECURITY USING VIRUS 
PROBING 

FIELD OF THE INVENTION 

The present invention relates to network security and, 
more particularly, to a technique for the verification of 
security measures employed in computer networks. 

BACKGROUND OF THE INVENTION 

Advances in communications technology and the avail- 
ability of powerful desktop computer hardware has 
increased the use of computers to access a variety of publicly 
available computer networks. Today, a tremendous amount 
of information is exchanged between individual users 
located around the world via public computer networks, e.g., 
the Internet. One class of users includes private individuals 
and professional users interconnected via a private network, 
e.g., a corporate intranet. The exchange of information 
between private and public computer networks has pre- 
sented a variety of critical security issues for the protection 
of information on the private computer networks and the 
overall functionality of the private computer network itself. 

Computer network security, at a minimum, is directed to 
ensuring the reliable operation of computing and networking 
resources, and protecting information within the network 
from unauthorized disclosure or access. Various security 
threats exist which pose increasingly difficult challenges to 
such network security. In particular, some of the most 
sophisticated types of security threats are posed by programs 
which exploit certain vulnerabilities within network com- 
puting systems. To name a few, these program-related secu- 
rity threats include well-known logic bombs, trapdoors, 
trojan horses, viruses and worms, as described, e.g., by W. 
Stallings, Network and Internetwork Security Principles and 
Practice, Prentice -Hall, Inc., Englewood Cliffs, NJ., 1995. 
Such well-known software program threats either work 
independently (e.g., worms) to achieve their desired security 
breach, or require the invocation of a host program to be 
invoked to perform the desired disruptive actions (e.g., 
trapdoors, logic bombs, trojan horses or viruses.) Indeed, 
there are numerous well publicized accounts of such pro- 
grams being used to improperly breach the security of 
private computer networks and cause severe damage (see, 
e.g., J. Hmska, Computer Viruses and Anti-Virus Warfare, 
Second edition, Ellis Horwood Limited, New York, 1992.) 
Such damage has included the destruction of electronic files, 
alteration of databases, or the disabling of the computer 
network itself or computer hardware connected to the 
affected network. 

Network administrators responsible for the operation of 
private computer networks employ a variety of security 
measures to protect the network from external security 
breaches such as the introduction of computer viruses. One 
technique uses so-called firewalls. This security scheme 
essentially places a separate computer system, i.e., the 
firewall, between the private network and the public 
network, e.g., the Internet. These the firewalls are software- 
based gateways that are typically installed to protect com- 
puters on a local area network ("LAN") from attacks by 
outsiders, i.e., unauthorized users. The firewall maintains 
control over communications from and to the private net- 
work. Essentially, the firewall imposes certain security mea- 
sures on all users employing the private network. For 
example, firewalls may block access to new Internet services 
or sites on the World Wide Web ("WWW") because the 
security consequences are unknown or not accounted for by 
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the present firewall configuration. One potential installation 
configuration of a firewall is that WWW clients can no 
longer directly contact WWW servers. Typically, this proves 
too restrictive, and network administrators employ so-called 

5 "proxy servers". Proxy servers are designed with certain 
features which provide for the forwarding of requests from 
WWW clients through the firewall thereby providing com- 
munication flow to and from servers on the Internet. 
Recently, firewall vendors have included so-called "virus 

10 filtering" features to address critical security issues associ- 
ated with virus infection. More particularly, this virus fil- 
tering at the firewall is conceptually similar to well-known 
virus scanning typically employed on client machines, e.g., 
personal computers, which reside within a LAN in a con- 

15 ventional client/server arrangement. In such client-based 
virus detection, virus scanning is accomplished using a 
program which searches through, e.g., the operating system, 
executable files, system files, boot records, and memory, of 
the client looking for the presence of undesirable software 

20 entities. Computer viruses are detected by the virus scanner 
by using previously defined "virus signatures" associated 
with each virus. The virus signature is typically a fixed- 
length signature pattern, e.g., a 16 to 24 byte pattern, 
extracted from the known virus by the vendor of the virus 

25 scanning software. The virus scanning software contains a 
list of signatures for known computer viruses and scans the 
various files in a particular client looking for a match to a 
particular virus signature. If a match is found, this entity of 
the client is "infected" and the user is notified accordingly. 

30 The incorporation of virus filtering within commercially 
available firewalls provides for virus detection by scanning 
files transmitted through the firewall. While this provides the 
firewall with additional network security capabilities, imple- 
menting the virus filter at the firewall presents certain 

35 operational difficulties which include: (1) a substantial 
amount of processing must be accomplished at the firewall 
which degrades network performance through the introduc- 
tion of latency which affects applications executing in the 
network; and (2) the firewall itself contains less operational 

40 and data intelligence with regard to individual clients in the 
network which leads to a less precise scan of the incoming 
data by the firewall as could be accomplished by a client- 
based virus scanner. 
Therefore, given the potential drawbacks in firewall - 

45 based virus filtering, most network security administrators 
opt for providing virus screening in the client machines 
across the network rather than in the firewall itself. 
Currently, a number of popular commercial computer virus 
scanners are used for such client-based scanning. Typically, 

50 network security administrators will select a particular com- 
mercially available virus scanning program and install the 
program across all the clients of the network. Of course, the 
effectiveness of the virus scanning software is as function of 
the uniformity of installation and periodically updating the 

55 virus signature listing used by""the software to included 
ne wly identified viruses. As will be appreciated, for very 
large client/server networks the task of ensuring that the 
vims detection software is universally installed and updated 
on all clients is significant and not always achievable. A 

60 client-by-client inspection is labor intensive and cannot be 
undertaken on a frequent enough basis to ensure conformity. 
Therefore, individual users are typically responsible for 
* updating their virus scanning software by, e.g., downloading 
the most current virus signature listing from a central source. 

65 Of course, the lack of diligence and infrequency of such 
updates by individual users can lead to potential secure 
breaches within the network. 
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A need exists therefore for ensuring that network security resources 105, 110, 115, 120 and 125. Illustratively, network 

features are universally configured throughout a computer resources 105 through 125 can be linked together using files 

network, written in the well-known Hypertext Mark-up Language 

("HTML") thereby representing the well-known WWW 

SUMMARY OF THE INVENTION 5 The WWW and HTML are described in more detail, e.g., by 

B. White, HTML and the Art of Authoring for the World 

The present invention provides a technique for determin- mde ^ Academic Publishers, Norwell, Mass; 

ing whether particular clients within a computer network are 1996 lllustrative i y , private network 130 is a network located 

universally configured in accordance with the desired secu- wisbiQ a particular s i te , e.g., a corporation's headquar- 

rity features of the computer network. In accordance with ^ lers buildingj having ^ terminals 165-1, 165-2, 165-3 and 

the invention, a probe is randomly inserted within incoming 165 . 4 linked togetner via 170 . As will be appreciated, 

files in the computer network. Illustratively, the insertion of user terminals 165 , X through 165 _4 can be stan d-alone 

probes occurs in a firewall which separates the computer personal computers or network terminals. For simplicity of 

network from other networks. The probe, in accordance with eX pi anation herein, only one such LAN configuration is 

an embodiment of the invention, is configured as a function ^ shown - m FIG ± howeverf ^ wiU be appreciated private 

of a particular execution task, e.g. a known virus, such that network i 30 may include several such LAN configurations 

m a properly configured client the probe will not execute and similar in nature t0 ^ 170 A parlicular ^ of any one 

the firewall does not detect a security breach. However, if the of ^ lenninaIs i 6 5-l through 165-4 may cause a client 

client is misconfigured, i.e., is not in compliance with the program executing 0D| e . g>t ^ lerminal 165 . 3) t0 request 

standard network security measures, the probe will execute 2Q certain resources which are available on the WWW, e.g., 

and trigger a security alert in the firewall indicating that the network resources K>5_125. As mentioned previously, such 

client is vulnerable to a security breach. Advantageously, a fequests t0 the www via the ln{eme{ from private netWQrk 

network security administrator can take appropriate action to 130 ^ secu rity risks to both private network 130 

correct those clients which are misconfigured. and uscr tcrminals through 165 . 4 . 7^5, ^ shown in 

In preferred embodiments of the invention, the probe is 25 fig. 1, private network 130 includes firewall 180 and proxy 

configured as a virus probe in the form of a trojan horse server 135 which are configured to delivery certain security 

which, if executed, on a client will.launch a signal back to features, in accordance with the invention, to protect private 

the firewall indicating that the client is misconfigured. In network 130 and its various computing resources. 

further embodiments of the invention, the signal back to the discussed previously, network administrators respon- 

firewall is a User Datagram Protocol ("UDP") packet. In 3Q sible for the operation of private computer networks, e.g., 

accordance, with a further embodiment of the invention, the private network 130, employ a variety of security measures. 

virus probe is inserted upon a first Internet access from a t0 pr oteenhe network from ex t ernal security' Breaches s uch 

particular IP address or browser type, and thereafter virus aTlET rntroduction of co mPuTer viruses. One technique 

probes are inserted at random intervals. places a separate computer system, i.e., the firewall, between 

% _ _ _ _, r _ T 35 the private network and the public network, e.g., the Inter- 

BRIEF DESCRIPTION OF THE DRAWINGS t V, « „ *. . , - V , 

net. The firewall monitors and maintains control over com- 

FIG. 1 shows an exemplary system embodying the prin- munications from and to the private network. More 
ciples of the invention; particularly, where a private network employs a firewall, the 

FIG. 2 is a flowchart of operations illustratively per- Drewa11 firsl ^nnines if the requested connection between 
formed by the firewall of FIG. 1 in implementing the present 40 a l 1 ermula J 1 ln J* Pnvale network and the public network 

is authorized. The firewall serves as an intermediary 
invention, and , , ..... , . L 

n „ „ , .„ . „ between the user termuial in the private network and the 

FIG. 3 show an illustrative communications traffic stream bUc netWQrk and> tf ^ connection is autho rized, facili- 
transmitted in the system of FIG. 1 and configured in tates tfae fequisite conaection between lhe ^ aet works. 
accordance with the invention. 45 Miemalivclyy tf the connection is unauthorized, the firewall 

DETAILED DESCRIPTION prevents any connection between the networks from occur- 

ring. 

The present invention provides a technique for determin- i n accordance with the illustrative embodiment of the 
ing whether particular clients within a computer network are invention shown in FIG. 1, proxy server 135 includes 
universally configured in accordance with the desired secu- 50 processor 140, web proxy 145, file transport protocol 
rity features of the computer network. In accordance with ("FrP") proxy 150 and mail proxy 160. As will be 
the invention, a probe is randomly inserted within incoming appreciated, these illustrative proxies enable the proxy 
files, illustratively, at a firewall in the computer network. server, working in conjunction with the firewall, to provide 
The probe, in accordance with an embodiment of the security features for WWW/Internet access, file transfers 
invention, is configured as a function of a particular execu- 55 and electronic mail, respectively. For example, web proxy 
tion task, e.g. a knj^n^rus^ such that in a properly 145 is used when a user desires to access particular "web 
configured client the probe will not execute and the firewall pages" on the WWW from private network 130. 
does not detect a security breach. However, if the client is IllustraUvely, a user employing user terminal 165-3 may 
misconfigured, i.e., is not in compliance with the standard access certain web pages on the WWW using web browser 
network security measures, the probe will execute and 60 166. Web browsers are well-known software application 
trigger an alarm in the firewall indicating that the client is programs (e.g., Netscape® v. 5.0, available from Netscape 
vulnerable to a security breach. Advantageously, a network Communications) which enable a user to traverse the WWW 
security administrator can take appropriate action to correct and access the vast amount of information available 
those clients which are misconfigured. throughout the WWW. Thus, web browser 166 receives an 

FIG. 1 shows an exemplary system embodying the prin- 65 input request from the user of user terminal 165-3 and 
ciples of the invention. As shown in FIG. 1, the system attempts to locate the information on the WWW by estab- 
includes public network 100, e.g., the Internet, and network fishing a connection with the appropriate resource, e.g., 
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network resource 105, on the WWW through public network 
100. The connection between user terminal 165-3 and net- 
work resource 105 is established using proxy server 135, 
web proxy 145 and firewall 180. More particularly, web 
proxy 145, acting on behalf of web browser 166, will 
attempt to establish a conventional Transfer Control 
Protocol/Internet Protocol ("TCP/IP*) connection between 
user terminal 165-3 and network resource 105. As is well- 
known, TCP/IP is the protocol which is used in describing 
the way in which information is transferred across the 
Internet. Essentially, TCP/IP separates information into indi- 
vidual packets and routes these packets between the sending 
computer, e.g., server, and the receiving computer, e.g., 
client. TCP/IP and Internet communications are discussed in 
more detail, e.g., by D. Comer., Internetworking with TCP/ 
IP, Third edition, Prentice-Hall, Englewood Clifls, NJ., 
1995. In the present embodiment, the TCP/IP connection 
between user terminal 165-3 and network resource 105 is 
made across communication channels 190 and 195, 
respectively, which establish connection between public 
network 100, private network 130 and, ultimately, user 
terminal 165-3. 

As seen from FIG. 1, all communications traffic between 
public network 100 and private network 130 necessarily 
passes through firewall 180. In recognition of this commu- 
nications traffic attribute, I have realized that the firewall 180 
provides a preferred location for implementing the security 
advantages of my invention. Illustratively, in accordance 
with the preferred embodiment of the invention, firewall 180 
illustratively includes processor 181, database 182, ancLyirus 
prober 185 which randomly inserts probes within incoming 
files from, e.g., pub he network 100, to, e.g., private network 
130. In accordance with the invention, the probes insertedfry 
th e virus p rober_185_are _ individual p ^ograrns^hicJL-will. 
trigger particul ar actions upon execution. In accord ance with 
anTmbodimenTof the invention, the probe is a virus probe 
configured as a troj an horse w hic h, ifej tecmed,-Q^_a_client 
wlirfiuncn a signafback tolh"e~fi rewaIl in dicatin gjhat the " 
cl ient is misl^fi guTe73~Tvpicalry, from a computer virus 
perspective, a trojan horse is a secret, undocumented entry 
point placed into a useful application program by an unau- 
thorized user, e.g., computer hacker. In the normal course of 
execution of the useful application program by a user the 
trojan horse is also executed thereby launching the undesired 
actions. Trojan horses are described in more detail in 
Stallings, supra, at pp. 238-241. For example, a trojan horse 
can be created to gain access to the files of another user on 
a shared computer system, wherein the unauthorized user 
creates a trojan horse program that, when executed, changes 
the authorized user's file permissions so that their files 
become readable by any user. This embodiment of the 
invention utilizes particular features of the trojan horse for 
delivery of various security advantages to computer net- 
works as discussed in more detail below. 

In accordance with the invention, the vims probe inserted 
by virus prober 185 at firewall 180 is benign in that the probe 
is designed to provide a signal back to firewall 180 if 
executed, rather than perform some destructive action as in 
the conventional trojan horse sense as described previously. 
The security features of the invention are preferably imple- 
mented and realized at the firewall, e.g., firewall 180, 
because in networks where firewalls are employed all com- 
munications traffic must pass through the firewall. Thus, the 
firewall is an ideal location for inserting probes in accor- 
dance with the invention. However, will be appreciated, the 
principles of the invention are also realized in other network 
environments and configurations. For example, in accor- 
dance with a further embodiment of the invention, the 
insertion of probes can be accomplished using a particular 
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proxy server within a network that is known to have a high 
rate of common access and is trusted. For example, a trusted 
server within a private network which mainly provides an 
online telephone directory is also an excellent candidate for 
implementing the principles of the invention due to the fact 
that this server will be utilized by a high number of user 
within the private network. Thus, the security features 
delivered by the present invention are realized in a variety of 
network, hardware and software configurations including, 
but not limited to, the system configuration of FIG. 1. 

The operations of delivering network security through the 
insertion, monitoring and execution of probes in accordance 
with the invention is shown in the illustrative operations of 
FIG. 2. In accordance with the preferred embodiment of the 
invention, as described above, the operations of FIG. 2 are 
initiated within firewall 180. More particularly, in accor- 
dance with the invention, the communications traffic stream, 
e.g., in and out of private network 130, is continuaDy 
monitored (block 200.) During the course of monitoring the 
communications traffic stream transmitted across the 
network, probes are randomly inserted into incoming files 
(block 205) destined for private network 130. The structural 
aspects of the probe of the invention are described below in 
more detail with regard to FIG. 3, In accordance with the 
invention, the probes are designed, if executed on a client, 
to trigger a signal indicative of a security alert. 

Illustratively, the signal can be a request for a network 
resource. Since all such requests must be made through the 
firewall, this ensures that when a probe configured in accor- 
dance with the invention triggers such a request, the request 
can effectively be utilized as the signal to the firewall. That 
is, such signals triggered by the probe will be immediately 
recognizable by the firewall. In further embodiments of the 
invention, the signal can be in the form of a conventional 
User Datagram Protocol ("UDP") packet. As will be 
appreciated, UDP is a transport protocol which runs on top 
of the conventional TCP/IP protocol and provides a low 
overhead mechanism for two applications to quickly 
exchange small amounts of data. UDP requires less over- 
head than typical TCP/IP packet exchanges because UDP is 
a less secure protocol than TCP/IP. That is, UDP is trans- 
action oriented, and packets may be duplicated, lost or 
40 received in a different order than as originally sent. In 
contrast, TCP/IP is more reliable because the protocol goes 
to significant lengths (e.g., generating checksums, acknowl- 
edging the receipt of packets, retransmitting lost packets) to 
insure that data arrives at its destination intact. Since UDP 
has no such overhead it is considerably faster than TCP/IP 
and is ideal for applications, as in various embodiments of 
the invention, that transmit short bursts of data, need faster 
network throughput, or do not require verification of deliv- 
ery at the destination. As will be appreciated, other types of 
signal configurations, in addition to those described above, 
which will be equally effective in delivering the various 
aspects of the invention. 

Thus, when firewall 180 receives the security alert 
indication, e.g., UDP packet, that a particular probe has 
executed (block 210), the firewall will identify the probe and 
client (block 215) and generate the security alert (block 
220.) The nature and type of the security alert generated, in 
accordance with the invention, can be in a variety of forms. 
Illustratively, the security alert generated by firewall 180 
could be an immediate notification to the network adminis- 
trator indicating that a particular client or clients within the 
network currently present a security risk. In a further 
embodiment of the invention, as probes are executed by 
various ones of the clients within the network, a log entry is 
made in a master file, e.g. stored in database 182, which can 
be accessed by the network administrator at regular intervals 
or a printed report could be generated from the log for 
review by the administrator. 
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Advantageously, Ihe invention provides a technique for 
determining whether particular clients with a computer 
network are universally configured in accordance with the 
desired network security features of the computer network. 
For example, one conventional security measure dictated by 
most network administrators is a policy that all users within 
a network, e.g., private network 130, disable certain features 
of their web browser software, e.g. Netscape®, and in 
particular the Javascript interpreter feature of the web 
browser. Javascript is described in more detail, e.g., by D. 
Flanagan, Javascript The Definitive Guide, Second edition, 
O'Reilly & Associates, Sebastopol, Calif., 1997. Briefly, 
Javascript is a well-known interpreted programing language 
useful, e,g., in developing programs which relate to and 
involve web browsers and HTML. For example, when a web 
browser includes a Javascript interpreter, the browser 
enables executable content, e.g., programs, to be distributed 
over the Internet (and WWW) in the form of Javascript 
"scripts". When the script is loaded into a Javascript-enabled 
browser the script is executable and will produce particular 
output as defined by the Javascript instructions of the script. 
Thus, Javascript allows for the control over the web browser, 
and also the content of that which appears in a web page, 
e.g., HTML forms. As will be appreciated, these features 
which are enabled through the use of Javascript present 
serious network security risks. 

The import of the present invention in the web browser 
environment described above is detailed in the following 
illustrative embodiments. Turning our attention to FIGS. 1 
and 3, private network 130 includes a plurality of users 
employing user terminals 165-1 through 165-4. As discussed 
previously, each user terminal can be configured with a web 
browser such as web browser 166 executing on user terminal 
165-3. As will be readily understood, the configuration of 
user terminal 165-3 is easily replicated on each of the other 
user terminals within the private network but for purposes of 
clarity herein only one such configuration is shown in FIG. 
1. Thus, in conformance with the security policy for private 
network 130, all web browsers are to have their Javascript 
interpreter disabled to prevent the execution of scripts which 
may be introduced from foreign sources, e.g., a public 
network, and subject the private network to various security 
risks. Of course, such a security measure is only effective if 
the users of the network comply. Typically, in most private 
networks there will exist, at any one time, particular user 
terminals which are not in compliance with the prescribed 
security measures. Thus, these non-complying user termi- 
nals represent a security risk to the entire network and a 
constant challenge to the network administrator for insuring 
full compliance with all security measures across the entire 
private network. 

As discussed previously, the invention provides a tech- 
nique for determining whether particular clients with a 
computer network are universally configured in accordance 
with the desired network security features of the computer 
network. More particularly, firewall 180 is configured, as 
described above, in accordance with the invention to insert 
probes into the incoming communications traffic stream to 
private network 130, FIG. 3 shows an illustrative incoming 
communications traffic stream 300 and the insertion of an 
illustrative probe in accordance with the principles of the 
invention. In particular, communications traffic stream 300 
includes a series of individual packets 300-1 through 300-n, 
e.g., TCP/IP packets, carrying data from public network 100 
to private network 130. Thus, in accordance with the 
invention, firewall 180 monitors communication traffic 
stream 300 and randomly iaserts probes into incoming files 
within particular ones of the packets. For example, packet 
300-4 contains incoming file 305, illustratively a file having 
a series of HTML instructions 310. In accordance with the 
invention, virus prober 185 inserts probe 315, illustratively, 
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at the end of HTML instructions 310. In accordance with 
various embodiments of the invention, probe 315 is inserted 
upon a first Internet access from a particular IP address (i.e., 
client) or browser type, and thereafter virus probes are 
inserted at random intervals. Illustratively, probe 315 is a 
virus probe in trojan horse form, as previously discussed, 
wherein the insertion of probe 315 into file 305 results in 
edited file 325. The re after, edited file 325 proceeds in the 
transmission of communications traffic stream 300 to private 
network 130. 

Illustratively, probe 315 is a single Javascript instruction 
320. As shown, Javascript instruction 320 is of the form 
"<SCRIPT>x«new image( ); x.src-' image 1';</SCRIPT> 
which, as discussed above, is an interpreted scripting lan- 
guage statement for controlling a web browser. Further, 
illustratively, "imagel" is a unique string of characters for 
identifying probe 315. Basically, probe 315 is a trojan horse 
which directs the web browser to allocate an off-screen 
bitmap space, i.e., "new image( )" and download a small 
image, i.e., "imagel". In accordance with various embodi- 
ments of the invention, the probes can either be stored in 
database 182 for access by virus prober 185 or stored locally 
within virus prober 185 itself In accordance with a further 
embodiment, probes can be downloaded by network admin- 
istrators from a central source, e.g., the Internet, and added 
to the existing probe library. In accordance with the 
invention, if web browser 166 is in compliance with the 
illustrative network security feature which requires that all 
web browsers have their Javascript interpreter disabled, 
probe 315 will not execute and firewall 180 will not generate 
any security alert. However, in accordance with the inven- 
tion if web browser 166 is misconfigured, probe 315 will 
execute causing web browser 166 to initiate a request for the 
image file, i.e., image 1. As described previously, the mere 
request by web browser 166, in accordance with an embodi- 
ment of the invention, for a network resource is captured by 
firewall 180 thereby serving as the signal of a security alert. 
There is no reason for a properly configured web browser to 
ask for such a network resource, i.e., imagel, unless it is 
improperly configured and outside of established network 
security measures. That is, execution of probe 315 means 
that web browser 166 is Javascript enabled which is not in 
compliance with the desired security measure of the private 
network 130 and therefore poses a security risk to the 
network. 

As described previously, a further embodiment of the 
invention employs a UDP packet as the signal back to the 
firewall when a security alert has occurred. In such an 
embodiment, file 305 is, illustratively, a file containing 
certain executable instructions. As is well-known, files hav- 
ing the extension ".exe" are binary executable files. Thus, in 
accordance with the invention, probe 315 will be inserted 
into file 305 at an appropriate location where it is known to 
be safe for overwriting a small number of bytes of file 305 
for insertion of probe 315. In accordance with this embodi- 
ment of the invention, probe 315 will launch a UDP packet 
when a security alert occurs. Illustratively, the actual 
machine instructions inserted into file 305 are generated 
using, i.e. compiling, the following code segment written in 
the well-known C programming language: 

struct sockaddr__in sin={0,9,{OxF14E8All},0,0,0,0,0,0,0, 

o}; 

int s»socket(PF_INET,SOCtL_DGRAM,0); 

connect(s,&sin^izeof(sin)); 

write(s,0x88,l); 

close(s); 

As will be appreciated by those skilled in the art, the above 
illustrative C program segment, after being compiled into 
machine code, is inserted as probe 315 into file 315 and will 
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generate the desired UDP packet upon probe execution. That 
is, if probe 315 is executed on a particular user terminal, a 
UDP packet will be launched to firewall 180 as the signal 
indicating that the user terminal is a potential security risk. 

The foregoing merely illustrates the principles of the 
present invention. Therefore, the invention in its broader 
aspects is not limited to the specific details shown and 
described herein. Those skilled in the art will be able to 
devise numerous arrangements which, although not explic- 
itly shown or described herein, embody those principles and 
are within their spirit and scope. 

I claim: 

1. A computer network security method, the method 
comprising the steps of: 

monitoring a communications traffic stream of the com- 
puter network, the communications traffic stream 
including a plurality of files; 

inserting a probe into at least one file of the plurality of 
files; 

determining whether the probe is executed in the com- 
puter network; and 

in response to the execution of the probe, identifying a 
location within the computer network where the execu- 
tion of the probe occurred. 

2. The method of claim 1 further comprising the step of: 
generating a security alert containing at least the identified 

location within the computer network. 

3. The method of claim 2 wherein the identified location 
is a particular user terminal of a plurality of user terminals 
within the computer network. 

4. The method of claim 1 wherein the inserting the probe 
step occurs in a server within the computer network. 

5. The method of claim 2 wherein the probe is a computer 
virus configured as a trojan horse. 

6. The method of claim 4 wherein the communications 
traffic stream passes through the server as the communica- 
tions traffic stream is exchanged between the computer 
network and a public network. 

7. The method of claim 3 wherein the execution of the 
probe occurs in a web browser running on the particular user 
terminal. 

8. The method of claim 5 wherein the security alert is 
generated as a function of a UDP packet transmitted by the 
trojan horse. 

9. A method for providing security in a private network, 
the private network having a plurality of user terminals, the 
method comprising the steps of: 

monitoring a communications traffic stream between the 
private network and a public network, the communi- 
cations traffic stream including a plurality of files, 
particular ones of the plurality of files destined for 
particular ones of the plurality of user terminals; 

inserting at least one probe of a plurality of probes into the 
particular ones of the plurality of files; 

determining whether the probe is executed by the par- 
ticular one of the user terminals for which the file was 
destined; and 

in response to the execution of the probe, identifying the 
particular one of the user terminals in which the execu- 
tion of the probe occurred. 

10. The method of claim 9 wherein the inserting the at 
least one probe step occurs in a firewall situated between the 
private network and the public network. 

11. The method of claim 10 comprising the further step of: 
transmitting a security alert from the probe to the firewall, 

the security alert containing an indication of at least the 
identified user terminal. 

12. The method of claim 10 wherein the inserting the at 
least one probe step occurs as a function of a first access to 
the public network from at least one user terminal. 
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13. The method of claim 12 wherein the probe includes at 
least one Javascript instruction. 

14. The method of claim 9 wherein the communications 
traffic stream comprises a plurality of TCP/IP packets. 

15. A method for use in a firewall which provides security 
between a private network and a public network, the method 
comprising the steps of: 

monitoring a communications traffic stream transmitted 
between the private network and the public network, 
the communications traffic stream including a plurality 
of packets; 

inserting a probe into at least one packet of the plurality 
of packets; 

determining whether the probe is executed in the private 
network; and 

in response to the execution of the probe, identifying a 
location within the private network where the execution 
of the probe occurred. 

16. The method of claim 15 wherein the private network 
is a computer network having a plurality of user terminals. 

17. The method claim 16 wherein the identifying the 
location step further comprises transmitting a signal from 
the probe to the firewall indicating that the probe has 
executed. 

18. The method claim 16 wherein the inserting the probe 
step occurs as a function of a first access to the public 
network from at least one user terminal. 

19. A network security apparatus comprising: 

a prober for inserting a plurality of probes into a plurality 
of packets exchanged between a private network and a 
public network; and 

a processor for monitoring the plurality of packets and 
determining whether particular ones of the plurality of 
probes are executed in the private network. 

20. The network security apparatus of claim 19 further 
comprising: 

a database for storing the plurality of probes. 

21. The network security apparatus of claim 19 further 
comprising a communications channel for downloading the 
plurality of probes from a central source. 

22. A network security method, the method comprising 
the steps of: 

inserting a plurality of probes into an incoming commu- 
nications stream of a private network; and 

monitoring a plurality of user terminals in the private 
network for a execution of at least one probe of the 
plurality of probes. 

23. The method of claim 22 further comprising the step of: 
generating a report which identifies particular ones of a 

plurality of user terminals in the private network in 
which probes have executed. 

24. The method of claim 22 wherein the monitoring the 
plurality of user terminals step further comprises transmit- 
ting a signal to a firewall indicating the execution of the at 
least one probe. 

25. The method of claim 24 wherein the inserting the 
plurality of probes step occurs within a firewall. 

26. The method of claim 24 wherein the incoming com- 
munications stream is from a public network. 

27. The method of claim 26 wherein the inserting the 
plurality of probes step occurs as a function of a request 
from the private network for accessing a particular resource 
within the public network. 

28. The method of claim 26 wherein the inserting the 
plurality of probes step occurs as a function of a first access 
to the public network from at least one user terminal. 
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ABSTRACT 



A method of screening a software file for viral infection 
comprising defining a first database of known macro virus 
signatures, a second database of known and certified com- 
mercial macro signatures, and a third database of known and 
certified local macro signatures. The file is scanned to 
determine whether or not the file contains a macro. If the file 
contains a macro, a signature for the macro is determined 
and screened against the signatures contained in said data- 
bases, A user is alerted in the event that the macro has a 
signature corresponding to a signature contained in said first 
database and/or in the event that the macro has a signature 
which does not correspond to a signature contained in either 
of the second and third databases. 

14 Claims, 2 Drawing Sheets 
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COMPUTER VIRUS SCREENING 

FIELD OF THE INVENTION 

The present invention relates to the screening of computer 5 
data for viruses and more particularly to the screening of 
computer data for macro viruses. 

BACKGROUND OF THE INVENTION 

10 

Computer data viruses represent a potentially serious 
liability to all computer users and especially to those who 
regularly transfer data between computers. Computer 
viruses were first identified in the 1980*s, and up until the 
mid-1990s consisted of a piece of executable code which is 
attached itself to a bona fide computer program. At that time, 
a virus typically inserted a JUMP instruction into the start of 
the program which, when the program was executed, caused 
a jump to occur to the "active" part of the virus. In many 
cases, the viruses were inert and activation of a virus merely 20 
resulted in its being spread to other bona fide programs. In 
other cases however, activation of a virus could cause 
malfunctioning of the computer running the program 
including, in extreme cases, the crashing of the computer 
and the loss of data. 25 

Computer software intended to detect (and in some cases 
disinfect) infected programs has in general relied as a first 
step upon identifying those data files which contain execut- 
able code, e.g. .exe, .com, .bat. Once identified, these files 
are searched (or parsed) for certain signatures which are 30 
associated with known viruses. The producers of anti-virus 
software maintain up to date records of such signatures 
which may be, for example, checksums. 

W095/12162 describes a virus protection system in 
which executable data files about to be executed are passed 35 
from user computers of a computer network to a central 
server for virus checking. Checking involves parsing the 
files for signatures of known viruses as well as for signatures 
of files known to be clean (or uninfected). 

40 

In 1995, a new virus strain was identified which infected, 
in particular, files of the Microsoft Office™ system. Given 
the dominant position of Microsoft Office™ in the computer 
market, the discovery of these viruses has caused much 
consternation. 

45 

Microsoft Office™ makes considerable use of so-called 
"macros" which are generally small executable programs 
written in a simple high level language. Macros may be 
created, for example, to provide customised menu bars or 
"intelligent" document templates or may be embedded in 50 
some other file format. For example, macros may be embed- 
ded in template files (.dot) or even in Microsoft Word™ files 
(.doc). 

As the new strains of virus discovered in 1995 infect 
macro files, they are generally referred to as "macro 55 
viruses". It will be appreciated that the possibility for macro 
viruses to be spread is great given the frequency with which 
Microsoft Office™ files are copied between two computers 
either by way of floppy disk or via some other form of 
electronic data transfer, e.g. the Internet. Indeed, viruses 6 q 
such as "WM/Concept" are known to have spread widely 
and rapidly at a global level. 

Producers of anti-virus software have approached the 
macro virus problem by maintaining and continuously 
updating records of macro viruses known to exist in the 65 
"wild". As with more conventional viruses, a signature 
(commonly a checksum) is determined for each macro virus 
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and these signatures are disseminated to end users of anti- 
vims software. The software generally scans data being 
written to or read from a computer's hard disk drive for the 
presence of macros having a checksum corresponding to one 
of the identified viruses. 

There are a number of problems with these more or less 
conventional approaches. Firstly, the number of macro 
viruses is exploding with around 3000 identified by mid 
1998. There is inevitably a time lag between a virus being 
released and its being identified, by which time many 
computers may have been infected. Secondly, end users may 
be slow in updating their systems with the latest virus 
signatures. Again, this leaves a window of opportunity for 
systems to be infected. 

WO 98/14872 describes an anti- virus system which uses 
a database of known virus signatures as described above, but 
which additionally seeks to detect unknown viruses based 
upon expected virus properties. However, given the inge- 
nuity of virus producers, such a system is unlikely to be 
completely effective against unusual and exotic viruses. 

SUMMARY OF THE PRESENT INVENTION 

It is an object of the present invention to overcome or at 
least mitigate the above noted disadvantages of existing 
anti- virus software. 

This and other objects are met by screening computer data 
to identify macros which do not correspond to known 
certified and acceptable macros. 

According to a first aspect of the present invention there 
is provided a method of screening a software file for viral 
infection, the method comprising; 

defining a database of signatures indicative of macros 
previously certified as being virus free; 

scanning said file to determine whether or not the file 
contains a macro; and 

if the file contains a macro, determining whether or not 
the macro has a signature corresponding to one of the 
signatures contained in said database. 

It will be appreciated that embodiments of the present 
invention have the advantage that they may be used to 
effectively block the transfer and/or processing of files 
which contain a previously unidentified (either to the local 
user or to the software producer) macro virus. It is therefore 
less critical (or even unnecessary) for the software to be 
updated to take account of newly detected viruses). 

Preferably, said step of defining a database of signatures 
indicative of macros previously certified as being virus free 
comprises scanning a set of end user applications which are 
known to be virus free to identify macros therein, determin- 
ing a signature for each of the identified macros, and 
compiling the determined signatures into the database. More 
preferably, the step of defining the database comprises the 
further steps of updating the database with additional macro 
signatures. This updating may be done via an electronic link 
between a computer hosting the database (where the scan- 
ning of the file is performed) and a remote central computer. 
Alternatively, the database may be updated by way of data 
stored on an electronic storage medium such as a floppy 
disk. The database may also include signatures correspond- 
ing to widely used proprietary macros, e.g. those used by 
large organisations. 

Preferably, the method comprises defining a second data- 
base comprising signatures indicative of macro viruses, and 
scanning said file to determine whether or not the file 
contains a signature corresponding to one of signatures 
contained in the second database. This second database may 
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be created at a central site and disseminated to end users by BRIEF DESCRIPTION OF THE DRAWINGS 

floppy disk or direct electronic data transfer. „„. , r 

Preferably, the method comprises creating a set of signa- HG - 1 15 a Actional block diagram of a computer system 

tures corresponding to a set of user specific macros, certified in which is installed macro virus screening software; and 

by the user as being virus free. These signatures may be 5 FIG. 2 is a flow chart illustrating the method of operation 

added to the first mentioned database, or may be included in of the system of FIG. 1. 
a separate database. In either case, the method comprises 

scanning a macro identified in a file to determine whether or DETAILED DESCRIPTION OF CERTAIN 

not the macro has a signature corresponding to a signature EMBODIMENTS 
of a user certified macro. The user in this case may be an end 

user, but preferably is a network manager. In the latter case, 10 For *e purpose of illustration, the following example is 
database updates made by the network manager are com- described with reference to the Microsoft Windows™ series 
municated to the network end user computers where the of operating systems, although it will be appreciated that the 
virus screening is performed. invention is also applicable to other operating systems such 
According to a second aspect of the present invention as Macintosh system and OS/2. With reference to FIG. 1, an 
there is provided a method of screening a software file for 15 end user computer 1 has a display 2 and a keyboard 3. The 
viral infection, the method comprising: computer 1 additionally has a processing unit and a memory 
defining a first database of known macro virus signatures, which provide (in functional terms) a graphical user inter- 
a second database of known and certified commercial face layer 4 which provides data to the display 2 and 
macro signatures, and a third database of known and receives data from the keyboard 3. The graphical user 
certified local macro signatures; 20 interface layer 4 is able to communicate with other corn- 
scanning said file to determine whether or not the file puters via a network interface 5 and a network 6. The 

contains a macro; and, if the file contains a macro network is controlled by a network manager 7. 

determining a signature for the macro and screening that Beneath the graphical user interface layer 4, a number of 

signature against the signatures contained in said data- user applications are run by the processing unit. In FIG. 1, 

bases; and 25 only a single application 8 is illustrated and may be, for 

alerting a user in the event that the macro has a signature example, Microsoft Word™. The application 8 communi- 

corresponding to a signature contained in said first cates with a file system 9 which forms part of the Microsoft 

database and/or in the event that the macro has a Windows™ operating system and which is arranged to 

signature which does not correspond to a signature 3Q handle file access requests generated by the application 8. 

contained in either of the second and third databases. These access requests include file open requests, file save 

According to a third aspect of the present invention there requests, file copy requests, etc. The lowermost layer of the 

is provided apparatus for screening a software file for viral operating system is the disk controller driver 10 which 

infection, the apparatus comprising; communicates with and controls the computer's hard disk 

a memory storing a set of signatures indicative of macros 35 drive 11. The disk controller driver 10 also forms part of the 

previously certified as being virus free; and Microsoft Windows™ operating system, 

a data processor arranged to scan said file to determine Located between the file system 9 and the disk controller 

whether or not the file contains a macro and, if the file driver 10 is a file system driver 12 which intercepts file 

does contain a macro, to determine whether or not the system events generated by the file system 9. The role of the 

macro has a signature corresponding to one of the 40 file system driver 12 is to co-ordinate virus screening 

signatures contained in said database. operations for data being written to, or read from, the hard 

According to a third aspect of the present invention there disk drive 11. A suitable file system driver 12 is, for example, 

is provided a computer memory encoded with executable the GATEKEEPER™ driver which forms part of the 

instructions representing a computer program for causing a F-SECURE ANTI-VIRUS™ system available from Data 

computer system to: 45 Fellows Oy (Helsinki, Finland). In dependence upon certain 

maintain a database of signatures indicative of macros screening operations to be described below, the file system 

previously certified as being virus free; driver 12 enables file system events to proceed normally or 

scan data files to determine whether or not the files prevents file system events and issues appropriate alert 

contains a macro; and messages to the file system 9. 
if a file contains a macro, determine whether or not the 50 The file system driver 12 is functionally connected to a 
macro has a signature corresponding to one of the macro virus controller 13, such that file system events 
signatures contained in said database. received by the file system driver 12 are relayed to the macro 
Preferably, the computer program provides for the updat- v "*us controller 13. The macro virus controller is associated 
ing of said database with additional macro signatures. with three databases 14 to 16 which each contain a set of 
Preferably, the computer program causes a second data- 55 "signatures" previously determined for respective macros, 
base to be maintained which comprises signatures indicative For the purposes of this example, the signature used is a 
of macro viruses, and further causes the files to be scanned checksum derived using a suitable checksum calculation 
to determine whether or not they contain a signature corre- algorithm, such as the US Department of Defence Secure 
sponding to one of signatures contained in the second Hash Algorithm (SHA) or the older CRC 32 algorithm, 
database. More preferably, the computer program causes a 60 The first database 14 contains a set of signatures derived 
third database to be maintained which comprises signatures for known macro viruses. The signatures in this database 11 
indicative of macros defined locally, e.g. at the level of a are determined by the provider of the file driver system 12 
local network to which the programmed computer is con- and the marm vfrjis controller 13 and are regularly updated 
nected. The computer program causes this third database to to take into account newly discovered viruses. Updates may 
be scanned for a match between signatures of a file macro 65 be provided by way of floppy disks or directly by down- 
not already matched in the first and second databases, and loading them from a remote server 17 connected to the 
signatures contained in the third database. Internet 18. 
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The second database 15 contains a set of signatures 
derived for commercially available macros. These macros 
include those supplied with the Microsoft Office™ operating 
system and with user applications such as Microsoft 
Word™. Again, these signatures are determined by the 
provider of the file driver system 12 and the macro virus 
controller 13 and are regularly updated to take into account 
newly available products. 

The third database 16 contains a set of signatures which 
are derived for macros created and used at the local network 
level, for example letter templates and the like (of course 
this database may be empty if no local macros are defined). 
Once a new local macro is created, typically at the network 
manager 7, the macro is processed by the network manager 
7 to derive the corresponding (checksum) signature. This is 
then relayed via the local network 6 to the end user computer 
1 where it is added to the third database 16. It is usually the 
case that only the network manager has the authority to 
modify this database 16, whilst the first and second data- 
bases 14,15 can be updated only by the network manager 7 
using signatures specified by the anti-virus software pro- 
vider. 

Upon receipt of a file system event, the macro virus 
controller 13 first analyses the file associated with the event 
(and which is intended to be written to the hard disk drive 
11, read, copied, etc) to determine if the file contains a 
macro. This may include examining the file name extension 
(e.g. to identify dot, .doc files) and/or scanning the file for 
embedded macros. If one or more macros is identified in the 
file, a checksum signature is determined for the/or each 30 
identified macro. 

Assuming that a single macro is identified in the file, the TV- 
macro virus controller 13 scans the first database 14 to 
determine whether or not the corresponding signature is 
present in that database 14. If the signature is found there, 
the macro virus controller 13 reports this to the file system 
driver 12. The file system driver 12 in turn causes the system 
event to be suspended and causes an alert to be displayed to 
the user that a known virus is present in the file. The file 
system driver 12 may also cause a report to be sent to the 
network manager 7 via the local network 6. ~ 

If this first scan does not locate a known virus, the macro "1 
virus controller 13 proceeds to search the second database I 
15 to determine whether or not the signature for the iden 
tified macro is present in that database 15. If the signature is 
found, then an appropriate report is sent to the file system 
driver 12, which in turn allows the file event to proceed 
normally. However, if the signature is not found in the 
second database 15, this indicates that the identified macro 
is unknown to the system and may be a new and unknown 
virus. ■ 

Before a warning is issued to the user, the macro virus 
controller 13 searches the third database 16 to determine 
whether the as yet unidentified macro corresponds to a 
locally defined macro. If the answer is yes, then the macro 
virus crtntmller 13 rep'^ft acr^'igly-iaj he file system 
drivjexJ^-and-ttie e vent is allowed to pro ceed Un the other 
hand, if the identified macro signature is not found in the 
third database 16, then the macro virus controller 13_ reports 
this to the file systerrL driyer 12 and the event is suspended . 
Again, a report js_sent to the network manager 7, and also 
possibly to the remote server "l7"of the sortware provider. 
This report may be accompanied by a copy of the "guilty" 
macro. 

The file scanning system described above is further illus- 
trated by reference to the flow chart of FIG. 2. 
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It will be appreciated by the person of skill in the art that 
various modifications may be made to the embodiment 
described above without departing from the scope of the 
present invention. For example, the file system driver 12 
may make use of further virus controllers including control- 
lers arranged to screen files for viruses other than macro 
viruses. The file system driver 12 may also employ disin- 
fection systems and data encryption systems. 

It will also be appreciated that the file system driver 12 
typically receives all file access traffic, and not only that 
relating to hard disk access. All access requests may be 
passed to the macro virus controller 13 which may select 
only hard disk access requests for further processing or may 
also process other requests relating to, but not limited to, 
floppy disk data transfers, network data transfers, and 
CDROM data transfers. 
We claim: 

1 . A method of screening a software file for viral infection, 
the method comprising: 

defining a first database of known macro virus signatures, 
a second database of known and certified commercial 
macro signatures, and a third database of known and 
certified local macro signatures; 
scanning said file to determine whether or not the file 

contains a macro; and, if the file contains a macro 
determining a signature for the macro and screening that 
signature against the signatures contained in said data- 
bases; and 

alerting a user in the event that the macro has a signature 
corresponding to a signature contained in said first 
database and/or in the event that the macro has a 
signature which does not correspond to a signature 
contained in either of the second and third databases. 

2. A method according to claim 1, wherein said step of 
defining a second database of known and certifiable com- 
mercial macro signatures comprises scanning a set of end 
user applications which are known to be virus free to 
identify macros therein, determining a signature for each of 
the identified macros, and compiling the determined signa- 
tures into the second database. 

3. A method according to claim 1, wherein the step of 
defining the third database comprises the further steps of 
updating the third database with additional macro signa- 
tures. 

4. A method according to claim 3, wherein said updating 
steps are done via an electronic link between a computer 
hosting the database, where the scanning of the file is 
performed, and a remote central computer. 

5. A method according to claim 1, wherein thee user is a 
network manager and database updates made by the network 
manager are communicated to network end user computers 
where virus screening is performed. 

6. A method according to claim 1, wherein said step of 
determining a signature for the macro and screening that 
signature comprises deriving a signature of the macro and 
comparing the derived signature with signatures in the 
databases. 

7. A method of screening a software file to determine 
whether any macro contained therein does or does not 
contain a virus, the method comprising: 

defining a first database of known macro virus signatures, 
a second database of known and certified commercial 
macro signatures, and a third database of known and 
certified local macro signatures; 
scanning said file to determine whether or not the file 
contains a macro; and 
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if the file contains a macro, determining whether or not scan data files to determine whether or not the files 

the macro has a signature corresponding to one of the contains a macro; and 

signatures contained in said databases. tf , fi , e & macro> detcrmine whether or not , ne 

8 Apparatus for screentng a software file for vtral ^ ^ corre sponding to one of the 

infection, the apparatus comprising: 5 . . . . . , _ _ . 

, , r , signatures contained in said second database, 

a memory storing a first database of known macro virus * . ■ i • m u - 

signatures, a second database of known and certified 11 memor y accordm S t0 clium ^ 

commercial macro signatures, and a third database of the computer program provides for the updating of said third 

known and certified local macro signatures; and database with additional macro signatures, 

a data processor arranged to scan said file to determine 10 12 A computer memory according to claim 10, wherein 

whether or not the file contains a macro and, if the file the computer program causes the files to be scanned to 

does contain a macro, to determine whether or not the determine whether or not they contain a signature corre- 

macro has a signature corresponding to one of the sponding to one of signatures contained in the first database, 

signatures contained in said databases. 13. A computer memory according to claim 12, wherein 

9. The apparatus according to claim 8, wherein, in order 1 the computer program causes the third database to be 
to determine whether or not the macro has a signature fof a malch between si tures of a file macro not 
corresponding to one of the signatures contained in said a matched 

in the first and second databases, and 

databases, said data processor is arranged to derive a sig- . J . , . , , . . . . 

nature of the macro and to compare the derived signature signatures contaaned in the third database, 

with signatures in the databases. 20 14 ne computer memory according to claim 10, wherein 

10. A computer memory encoded with executable instruc- in order to determine whether or not the macro has a 
tions representing a computer program for causing computer signature corresponding to one of the signatures contained in 
system to: said databases, said computer program causes the computer 

maintain a first database of known macro virus signatures, 25 system to derive a signature of the macro and to compare the 

a second database of known and certified commercial derived signature with signatures in the databases, 
macro signatures, and a third database of known and 

certified local macro signatures; ***** 
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